How the hacker bogeyman is coming to get you

In 1947, Harry Truman wanted Congress to vote for $400 million in aid to support Greece and Turkey against the threat of communist takeover.

That was a lot of money back then. What's more, Truman had to win over a Republican-led Congress dominated by isolationists. But Sen. Arthur Vandenberg of Michigan, an influential Republican who also chaired the Senate Foreign Relations Committee, offered the president a sage piece of advice: Make a personal appearance before Congress, play up the threat of Soviet expansionism, "and scare the hell out of the American people."

Which is exactly what Truman did. (Click here for the text of Truman's March 12, 1947 speech.) And it worked. Congress allocated the funds, and the United States embarked upon a half-century battle against communism which resulted in the 1991 dissolution of the Soviet Union.

U.S. Defense Secretary Leon Panetta, who is familiar with that history, borrowed the Truman-Vandenberg playbook as he stumped on behalf of new cybersecurity legislation, warning of a possible "cyber-Pearl Harbor" in a speech last week.

I know that when people think of cybersecurity today, they worry about hackers and criminals who prowl the Internet, steal people's identities, steal sensitive business information, steal even national security secrets. Those threats are real and they exist today. But the even greater danger -- the greater danger facing us in cyberspace goes beyond crime and it goes beyond harassment. A cyberattack perpetrated by nation states are violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation.

That's a big statement. Yet Panetta was only getting started.

An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shutdown the power grid across large parts of the country.

The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country. Attackers could also seek to disable or degrade critical military systems and communication networks. The collective result of these kinds of attacks could be a cyber-Pearl Harbor; an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.

Batten down the hatches?
Scary stuff. Should we believe it?

To be fair, it's not as if Panetta pulled this one entirely out thin air. If hackers were able to exploit security holes in control software, they could wreak havoc at U.S. water and power plants and that would be a disaster. (In 2007, the Department of Homeland Security released footage of the after-effects of an experimental cyberattack that caused a generator to self-destruct.) Historically, managers of water and power systems have been far less rigorous about applying security patches than their opposite numbers in the IT industry. Chris Blask, the CEO of ICS Cybersecurity, told MIT Technology Review that the traditional focus on "stability and reliability" among power and water systems managers has left many vulnerabilities unpatched, and so with more plants allowing engineers to log in remotely, the door is theoretically open for hackers to do the same.

Theory is one thing; practice is quite another. To date, the government hasn't released convincing evidence that the threat is anything as dire as advertised. But that hasn't stopped the flow of hyperbole.

In July, President Obama published an op-ed in The Wall Street Journal making many of the same arguments offered up by his Defense Secretary. All this is taking place as the U.S. is rethinking the concept of cyber defense. Panetta's speech came close to offering the first public declaration by the U.S. that it has launched cyberattacks:

Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America. But we won't succeed in preventing a cyber attack through improved defenses alone. If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president. For these kinds of scenarios, the department has developed that capability to conduct effective operations to counter threats to our national interests in cyberspace.

Given that newly aggressive posture, you can understand why the generals might want to make sure the homeland is locked down tight if and when a country or terrorist group attempts to pay us back. With the administration hoping to overcome GOP opposition to new cybersecurity legislation, scaring the hell out of people might be just the ticket. Arthur Vandenberg would have approved.